The title here is misleading. The original article does not state breach and at no point have Mixpanel used that term.

It was SMS Phishing, a.k.a. Social Engineering.

It anything, it’s opposite of breach.

Email from OpenAI: Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.

This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.

What happened On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.

What this means for you User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to: Name that was provided to us on the API account Email address associated with the API account Approximate coarse location based on API user browser (city, state, country) Operating system and browser used to access the API account Referring websites Organization or User IDs associated with the API account

It's a suspicious post, why would you make a post if attackers are performing a sms phishing, that happens all the time.